Lesson Learned from building the Azure Let's Encrypt Site Extension
Global Azure Bootcamp 2019 - Copenhagen
Simon J.K. Pedersen
@simped / mail@sjkp.dk
Quick Intro
- Azure Web Apps
- Site Extensions
- SSL Certificates
- Let's Encrypt
How many uses Azure Web Apps - with a custom domain?
are you paying for your SSL certificate?
Why did I build it
personal challenge/learning oppotunity
Learnings
- Azure Web Apps behind the scenes
- Moving on from the site-extension approach (Functions and ACI)
- Using Key Vault and ARM templates
Azure Web Apps
- So many application frameworks are used
- Some people have massive deployments
- Web Jobs in site-extensions.....
- Server farms/app service plans and their location
- Not all scale units are created equal
- Deploy from ZIP/read-only disk
- KUDU API
- Traffic manager
Moving on
- Avoid support when people mess up the web job
- Avoid support when working with Service Principals
- Support other azure services
- Azure CDN
- Azure API Management
- Azure Functions
- Better security (KeyVault)Az
Attempt #1
- Make an API
- Host the API in the site-extension
- Let people call the API from Azure Functions/Logic Apps
- More trouble for the user
- Why even use site-extension
Attempt #2
- make a nuget
- let people do it themselves
- and some did ...
Attempt #3
- Wait for Microsoft to do it...
Attempt #4
- Found certes (https://github.com/fszlin/certes)
- Rewrite to .net core (so we can use Azure Function v2 and docker)
- Support wildcard
- Realize a lot of DNS providers are VERY slow at propagating DNS changes
- Use Managed Service Identity
- Use KeyVault
Demo Time
Architecture
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6071298/pasted-from-clipboard.png)
KeyVault and ARM Templates
- Existing Resources (different resource groups)
- Azure DNS
- Azure Web App
- What we want to deploy
- KeyVault
- Azure Function (Storage Account & App Service Plan)
- Managed Service Identity
- App Settings
- Application Insights
- Role Assignments to Managed Service Identity
Managed Service Identity
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6070130/system-assigned.png)
Key Vault Access to MSI
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6070140/keyvault.png)
Save secrets in Vault
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6070142/secrets.png)
Reference Secrets
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6070154/reference-secrets.png)
Role Assignments
![](https://s3.amazonaws.com/media-p.slid.es/uploads/156879/images/6070157/role-assignments.png)
Link
Lesson Learned from Build Let's Encrypt Azure Site Extension
By Simon J.K. Pedersen
Lesson Learned from Build Let's Encrypt Azure Site Extension
- 878